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We claim: 

1. A method for controlling access to a computing system resource, being accessed 
through a symbolic link file, with an externally stored resource comprising the steps of: 

determining a system resource named in the symbolic link through which the 
access attempt is made; 

searching a protected objects database for entries protecting said system resource 
and generating a list of said entries; and 

generating an authorization decision for the access attempt based on security 
policies that govern all entries in the database protecting the system resource. 

2. The method as described in claim 1 wherein said control method grants access if 
said search does not find in the protected objects database, the system resource named in 
the symbolic link through which the access attempt is made. 



15 3. The method as described in claim 1 wherein said authorization decision step 
comprises the steps of: 

retrieving a current entry from said generated database list; 
calling an access decision component of the externally stored resource to obtain 
an access decision for the access attempt based on the security policy that governs the 
20 current entry in the generated database list; 

determining whether the access decision component granted access; 
if the decision component granted access, determining whether more entries are in 
this database list; and 

updating a current entry in said database list when more entries are in the list and 
25 returning to said current entry retrieving step. 

4. The method as described in claim 3 further comprising the step of denying the 
access attempt when the decision component denies access based on the security policy 
for the current database entry. 

30 
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5. The method as described in claim 3 further comprising the step of allowing the 
access attempt if no more entries are in the database list. 

6. The method as described in claim 1 wherein said searching step comprises the 
5 steps of: 

retrieving an entry from the protected objects database; 

comparing the name of the database entry to the name of the system resource that 
is an object of the access attempt; 

when there is a match between the database entry and the system resource name 
10 that is the object of the access attempt, determining whether the resource is named in a 
symbolic link that is listed in the protected object database; and 

generating a list containing the exact found entry, when the entry is not named in 
a symbolic link listed in the protected object database. 

15 7. The method as described in claim 1 wherein said searching step comprises the 
steps of: 

retrieving an entry from the protected objects database; 

comparing the name of the retrieved database entry to the name of the system 
resource that is the object of the access attempt; 
20 when there is a match between the database entry and the name of the resource 

that is the object of the access attempt, determining whether the database entry is named 
in a symbolic link that is listed in the protected object database; 

adding said entry to a list containing found entries, when the entry is named in a 
symbolic link listed in the protected object database; 
25 determining whether there are more entries in the protected object database; and 

updating a current database entry in said database when more entries are in the 
database and returning to said current entry retrieving step. 
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8. The method as described in claim 1 wherein said searching step comprises the 
steps of: 

retrieving an entry from the protected objects database; 

comparing the name of the retrieved database entry to the name of the system 
5 resource that is the object of the access attempt; 

when there is a match between the database entry and the name of the resource 
that is the object of the access attempt, determining whether the database is named in a 
symbolic link that is Usted in the protected object database; 

adding said entry to a list containing found entries, when the entry is named in a 
10 symbolic link listed in the protected object database; 

determining whether there are more entries in the protected object database; and 
retuming the list containing found entries, when there are no more entries. 

9. The method as described in claim 1 further comprising before said retrieving step 
15 the step of generating a protected objects database. 

10. The method as described in claim 9 comprising the steps of: 
retrieving file attributes for a system resource file; 

determining from said retrieved file attributes whether said resource file is a 
20 symbolic link file; 

when resource file is a symbolic link, retrieving the name and attributes of the 
system resource named in the symbolic link; and 

adding the symbolic link and system resource named in the symbolic link to the 
protected objects database. 

25 

11. The method as described in claim 9 comprising the steps of: 
retrieving file attributes for a system resource file; 

determining from said retrieved file attributes whether said resource file is a 
symbolic link file; and 

30 terminating said method and processing the system resource file access attempt 

through other methods. 
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12. The method as described in claim 10 wherein said adding step comprises the steps 
of: 

setting the system resource named in the symboUc link as the child of the 
5 symbolic link; 

setting the symbolic link naming the resources as the parent of said resource; 
adding the symbolic link as an entry in the protected object database; and 
adding the named resource as an entry in the protected objects database. 

10 13. A method for controlling access to a computing system device being accessed 
through symbolic link, said access control being implemented through an externally 
stored resource and comprising the steps of: 

monitoring the computing system for activities related to creating and accessing 
symbolic links that link to system resources; 
15 restricting the creation of symbolic link files based on the rules defined in the 

externally stored resource; and 

restricting accesses to system resources that are linked to and accessed by a 
symbolic link. 

20 14. A computer program product in a computer readable medium for controlling 

access to a computing system resource, being accessed through a symbolic link file, with 

an externally stored resource comprising the steps of: 

instructions for determining a system resource named in the symbolic link 

through which the access attempt is made; 
25 instructions for searching a protected objects database for entries protecting said 

system resources and generating a list of said entries; and 

instructions for generating an authorization decision for the access attempt based 

on the security policies that govern all entries in the database protecting the system 

resource. 

30 
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15. The computer program product as described in claim 14 wherein said 
authorization decision instruction comprises: 

instructions for retrieving the current entry from said generated database list; 
instructions for calling an access decision component of the externally stored 
5 resource to obtain an access decision for the access attempt based on the security policy 
that governs the current entry in the generated database list; 

instructions for determining whether the access decision component granted 

access; 

if the decision component granted access, instructions for determining whether 
10 more entries are in this database list; 

instructions for updating a current entry in said database list when more entries 
are in the list and returning to said current entry retrieving step. 

16. The computer program product as described in claim 15 further comprising 
15 instructions for denying the access attempt when the decision component denies access 

based on the security policy for the current database entry, 

17. The computer program product as described in claim 15 further comprising 
instructions for allowing the access attempt if no more entries in the database list. 

20 

18. The computer program product as described in claim 14 wherein said searching 
instructions comprise: 

instructions for retrieving an entry from the protected objects database; 
instructions for comparing the name of the database entry to the name of a system 
25 resource that is the object of the access attempt; 

instructions for when there is a match between the database entry and the name of 
the resource that is the object of the access attempt, determining whether the system 
resource is named in a symbolic link that is listed in the protected object database; and 

instructions for generating a Ust containing the exact found entry, when the entry 
30 is not named in a symbolic link listed in the protected object database. 
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19. The computer program product as described in claim 14 wherein said searching 
instructions comprise: 

instructions for retrieving an entry from the protected objects database; 

instructions for comparing the name of the database entry to the name of a system 
5 resource that is the object of the access attempt; 

when there is a match between the database entry and the name of the resource 
that is the object of the access attempt, instructions for determining whether the database 
entry is named in a symbolic link that is listed in the protected object database; 

instructions for adding said entry to a list containing found entries, when the entry 
10 is not named in a symbolic link listed in the protected object database; 

instructions for determining whether there are more entries in the protected object 
database; and 

instructions for updating a current database entry in said database when more 
entries are in the database and returning to said current entry retrieving step. 

15 

20. The computer program product as described in claim 14 wherein said searching 
instructions comprise: 

instructions for retrieving an entry from a protected objects database; 

instructions for comparing the name of the retrieved database entry to the name of 
20 a system resource that is the object of the access attempt; 

when there is a match between the database entry and the name of the resource 
that is the object of the access attempt, instructions for determining whether the database 
is named in a symbolic link that is listed in the protected object database; 

instructions for adding said entry to a list containing found entries, when the entry 
25 is not named in a symbolic Hnk listed in the protected object database; 

instructions for determining whether there are more entries in the protected object 
database; and 

instructions for returning the list containing found entries. 

30 21. The method as described in claim 20 further comprising before said retrieving 
instructions the instructions for generating a protected objects database. 
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22. A computer connectable to a distributed computing system, which included 
symbolic links pointing to system resources and comprising: 

a processor; 

a native operating system; 
application programs; 

an externally stored authorization program overlaying said native operating 
system and augmenting the standard security controls of said native operating system; 

a protected objects database within said external authorization program 
containing as entries protected symbolic link files and system resources pointed to by 
these protected symbolic links such that the protection of the symbolic link is 
attached to said system resources; 

a decision component with said authorization program for controlling access to 
system resources being accessed through symbolic links; and 

a decision component with said authorization program for controlling the creation 
of symbolic links through which system resources are accessed. 

23. A method for restricting the creation of a protected symbolic link that names a 
system resource comprising the steps of: 

determining a system resource named in the proposed symbolic link; 

searching a protected objects database for entries protecting said system resource 
named in the proposed symbolic link; 

generating a list of file entries that contain the system resource named in a 
proposed symbolic link; and 

generating an authorization decision for a creation attempt based on the security 
policy that governs each entry in the database. 

24. The method as described in claim 23 wherein said restriction method allows a 
creation attempt if said search does not find in a protected objects database, the resource 
named in the proposed symbolic link. 
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25. The method as described in claim 23 wherein said authorization decision step 
comprises the steps of: 

retrieving a current entry from said generated database list; 

calling a creation decision component of the externally stored resource to obtain a 
5 decision for the symbolic link creation attempt based on the security policy that governs 
the current entry in the generated database list; 

detennining whether the creation decision component allows creation of a 
symbolic link; 

if the decision component allowed creation, determining whether more entries are 
10 in this database list; 

updating a current entry in said database list when more entries are in the list and 
retuming to said current entry retrieving step. 

26. The method as described in claim 25 further comprising the step of denying the 
15 creation attempt when the decision component denies the creation attempt based on the 

security policies that govem all entries in the database protecting the system resource. 

27. The method as described in claim 25 further comprising the step of allowing the 
symbolic hnk creation attempt if no more entries in the database list. 

20 

28. The method as described in claim 23 further comprising before said retrieving 
step the step of generating a protected objects database. 
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